Monday, April 28, 2014

Multi-Brand French Phisher uses EDF Group for ID Theft

At the end of January last year, French power company EDF advised the public that they were seeing a significant rise in the number of phishing complaints they were receiving from their customers. An example story in English from The Connexion: EDF customers hit in 'phishing' scam, says that an EDF spokesperson said beginning in August of 2012 they were seeing 20,000 customers per month complaining about the phish and that in January 2013 it had risen to as many as 40,000 customers per month. As many as 200 to 300 new phishing sites per month were being created at that time.

This week Malcovery is noticing that the EDF phish are back, with a twist! The current EDF phish are asking for documents with an enormous value for identity theft and are targeting many different French banks with the information. Here's what a currently live phishing site looks like:

Zooming in on the data being requested, we see typical information.

Email, Password, Title, Name, Address, City, Postal Code, and Date of Birth.

While EDF has world-wide operations, a large number of their tens of millions of utility customers are in France.

The email they receive is likely to be the same one seen in France last year that advises:

Votre paîement a été refusée par votre établissement bancaire. […] Pour éviter la pénalités de retard, nous vous donnant la possibilité de payer en ligne en utilisant votre carte bancaire.

(or in English: "Your payment was declined by your bank ... To avoid late fees, we give you the option to pay online using your credit card.

After providing the basic information, they are prompted to choose which bank issued the credit card they will be using to pay their bill:

Choices are:

Axa Banque
Banque populaire
Caisse d’epargne
Credit agricole
Credit mutual
Credit du nord
Societe generale
La banque postale

and then enter their Credit Card information:

The most interesting part of the phish, however, is what comes next! The Phishers then tell them that in order to prove they are really in charge of this account, they must upload at least two forms of proof of identity!

  • Identity Card
  • Credit Card
  • A copy of a Bank statement
  • An invoice proving the address
Whichever documents I attempted to upload, it kept insisting that I needed to upload additional documents.

Although this case is most accurately described as an EDF phish, there are actually thirteen targeted banks, and an unlimited number of forms of identity theft that could occur if some victim were to provide all of the requested information. Just another example of how the phishers use FEAR (an unpaid Utility bill that could result in Termination of Service) to steal our credit card information!

Saturday, April 12, 2014

Zeus Criminals charged in Omaha, Nebraska

Legal documents analayzed below are available at the bottom of this DOJ article: Nine Charged in Conspiracy to Steal Millions of Dollars using Zeus Malware

We've talked about Zeus in this blog for many years, including some good arrests, such as Major Zeus Bust in the UK: Nineteen Zbot Thieves Arrested. But we now have names for the ring leaders of the biggest Zeus case of all time, Operation Trident BreACH. We knew the aliases of the Ring Leaders publicly thanks to Microsoft's work back in 2012 (see Microsoft DCU, FS-ISAC and NACHA vs. Zeus) but who were these mystery men: tank and petr0vich?

Now we know ... more anyway ... Two Ukrainian members of the Jabber Zeus gang stood in federal court in Omaha, Nebraska last week to plead "Not Guilty" after being extradicted from the UK. Yuriy Konovalenko and Yevhen Kulibaba are among the nine people listed in the indictments that have been sealed since August of 2012. The list of defendents is:

  • Yvacheslav Igorevich Penchukov, AKA tank, AKA father
  • Ivan Viktorvich Klepikov, AKA petr0vich, AKA nowhere
  • Alexey Dmitrievich Bron, AKA thehead
  • Alexey Tikonov, AKA kusanagi
  • Yevhen Kulibaba, AKA jonni
  • Yuriy Konovalenko, AKA jtk0
  • John Doe #1, AKA lucky12345
  • John Doe #2, AKA aqua
  • John Doe #3, AKA mricq

DOJ is still seeking four of the named criminals, and still has not publicly acknowledged the names of the three John Does. If you have information on these, please reach out to the FBI!

Tank == Vyacheslav Igorevich Penchukov, 32, of Ukraine, who allegedly coordinated the exchange of stolen banking credentials and money mules and received alerts once a bank account had been compromised.

Petr0vich == Ivan Viktorvich Klepikov, 30, of Ukraine, the alleged systems administrator who handled the technical aspects of the criminal scheme and also received alerts once a bank account had been compromised.

TheHead == Alexey Dmitrievich Bron, 26, of Ukraine, the alleged financial manager of the criminal operations who managed the transfer of money through an online money system known as Webmoney.

Kusunagi== Alexey Tikonov, of Russia, an alleged coder or developer who assisted the criminal enterprise by developing new codes to compromise banking systems.

Although jonni is only now coming to trial in the United States, the Metropolitan Police of London arrested Kulibaba and his wife Karina Kostromina back in October of 2011, as we learned from KrebsOnSecurity in his article ZeuS Trojan Gang Faces Justice. Yuriy Konovalenko, AKA Pavel Klikov, was also in custody in the UK and was "due to be sentenced" according to Krebs' article.

Many of the crimes covered in this indictment are well known to us already, largely due to the work of journalist Brian Krebs. While Krebs was still at the Washington Post writing his Security Fix column, he made Zeus a household name.

Selected Victims:

  • Bank of America
  • Bullitt County Kentucky - Security Fix, Brian Krebs, July 2009. -- Bullitt County had $415,000 stolen from their accounts after being infected by Zeus.
  • Doll Distributing of Des Moines, Iowa
  • First Federal Savings Bank of Elizabeth Town, Kentucky
  • Franciscan Sisters of Chicago, (Homewood, Illinois)
  • Husker AG, LLC of Plainview, Nebraska
  • Key Bank of Sylvania, Ohio
  • ODAT LLC, d/b/a Air Treatment Company
  • Parago, Inc of Lewisville, TX
  • Salisbury Bank & Trust of Salisbury, MA
  • Town of Egremont, Mass
  • Union Bank and Trust of Lincoln, Nebraska
  • Union Bankshares of Ruther Glen, VA
  • United Dairy, Inc of Martins Ferry, OH
The version of Zeus at the heart of this investigation communicated stolen credentials to a server located on the IP address at in Brooklyn, NY. An FBI Agent interviewed Mohammed Salim in September 2009, who confirmed that the server in question, called the Incomeet server, was custom built for a Russian company "IP-Server Ltd" in Moscow, whose POC was "Alexey S." Extensive chat logs were recovered from the server with four separate search warrants - September 28, 2009, December 9, 2009, March 17, 2010, and May 21, 2010. Those web servers showed the criminals discussing their conspiracy, including many instances of the criminals trading login credentials for bank accounts.

Those chats also showed that the criminals closely follow Brian Krebs! Tank and Aqua are shown discussing his Bullitt County article linked above and saying "They laid out the entire scheme! I'm really pissed! They exposed the entire deal!"

Doll Distributing had $59,222 stolen from them in two occasions. One of those wire transfers went to "Pandora Service, LLC" and to "Kodash Consulting." FBI Agents interviewed Heidi Nelson and Renee Michelli, the proprietors of those organizations who had believed they were acting as "Financial agents" for a Russian software company. In other words, they were money mules.

All of the victims named above were discussed in the chat logs by the criminals charged in this case.

I especially enjoyed learning how TANK was identified by name. In the chat, on July 22, 2009, he announced that his daughter, Miloslava, had been born and gave her birth weight. A records search of Ukrainian birth records only showed one girl named Miloslava with that birth weight born on that day. Her father was Vyacheslav Igorevich Penchokov. This was enough to seize the computers from Tank's home, which confirmed it was the same person!

Petr0vich was discovered because of mentions of the email address "" in the chat logs. Gmail was subpoenaed to get records for this email account, which showed "" had been used to log in to that email address at least 790 times. The secondary email for that account, "", was given when the account was created November 24, 2004. Several other addresses were used to login to both the petr0vich jabber account on the Incomeet server and the Gmail address, including Similar techniques were then used to find the computers located at those IP addresses. Ivan Viktorovich Klepikov was found to be living in Donetsk, Ukraine.

TheHead stated his real name in the chat, and gave his gmail account as "". He was telling the truth.

Kusunagi gave a phone number in the chat, and found that phone number on a public webpage where Alexey Tikonov's real name and contact information were given. He lived in Tomsk, Russia. He also used his Kusanagi identity to post videos where WHOIS information related to those videos location confirmed his location.

Jonni and Jtk0 were identified by Detective Sergeant Simon Williams of the Metropolitan Police of London.

We'll talk more about this case in another post soon . . .

Friday, April 11, 2014

Phishers, Framesets, and Grocery Surveys

Like most criminals, or let's face it, most programmers, Phishers are lazy. They like to be able to create one website and have it live for an extended period of time. Unfortunately for them, victim companies either smash new phishing sites as fast as they can, or they hire companies to do it for them. At Malcovery Security we concentrate on INTELLIGENCE rather than takedown, so our focus is in understanding what the sites can teach us about the criminal behind the attack, and how the many attacks against your brand are related to each other and to attacks against other brands.

A friend of ours shared a link to a website today that was imitating Centra, a convenience and grocery chain throughout Ireland.

The accompanying spam message promises that they will pay us 150 Euros just for taking their survey!

For the convenience of the consumer, rather than having to wait for a check (cheque) in the mail, you can just enter all of your Credit Card information, and your Date of Birth and some other personal details, and they'll deposit the money right into your credit account!

As we looked at the log files, we found an interesting fact. NONE of the more than 900 visitors to the website had visited the site DIRECTLY. They were all being referred from other URLs. This is our indicator that the spam messages did NOT contain a link to the domain shown above. Instead, they were pointing at websites with Chinese domain names!

[10/Apr/2014:01:06:08 GET /Centra/centra/
[10/Apr/2014:01:07:46 GET /Centra/centra/
[10/Apr/2014:01:07:52 GET /Centra/centra/
[10/Apr/2014:01:08:28 GET /Centra/centra/
[10/Apr/2014:01:08:51 GET /Centra/centra/
[10/Apr/2014:01:09:14 GET /Centra/centra/
[10/Apr/2014:01:09:24 GET /Centra/centra/
[10/Apr/2014:01:09:28 GET /Centra/centra/
[10/Apr/2014:01:09:42 GET /Centra/centra/
[10/Apr/2014:01:09:45 GET /Centra/centra/
[10/Apr/2014:01:09:55 GET /Centra/centra/
[10/Apr/2014:01:10:27 GET /Centra/centra/
[10/Apr/2014:01:10:31 GET /Centra/centra/


[11/Apr/2014:00:46:22 GET /Centra/centra/
[11/Apr/2014:00:58:02 GET /Centra/centra/
[11/Apr/2014:01:06:46 GET /Centra/centra/
[11/Apr/2014:01:16:22 GET /Centra/centra/
[11/Apr/2014:01:18:38 GET /Centra/centra/
[11/Apr/2014:01:18:48 GET /Centra/centra/
[11/Apr/2014:01:23:23 GET /Centra/centra/
[11/Apr/2014:01:25:27 GET /Centra/centra/
[11/Apr/2014:01:25:49 GET /Centra/centra/

When we look at the websites on "" and "" we see that both of them actually consist ONLY of a "FrameSet" that sends us to the location of the CENTRA phish:

The logs ALSO reveal that another brand is being hosted on the same server!

[10/Apr/2014:05:19:16 GET /texc/
[10/Apr/2014:05:20:03 GET /texc/
[10/Apr/2014:05:20:09 GET /texc/
[10/Apr/2014:05:28:47 GET /texc/
[10/Apr/2014:05:30:31 GET /texc/
[10/Apr/2014:05:37:56 GET /texc/
[10/Apr/2014:05:48:45 GET /texc/
[10/Apr/2014:05:50:27 GET /texc/
[10/Apr/2014:05:53:44 GET /texc/
[10/Apr/2014:05:57:39 GET /texc/

Since most of the time when I'm in the UK I am running dawn to dusk in meetings, Tesco is the only store I've actually ever shopped in, since there is one on every street corner in London. The phishers have correctly updated their currency to use Pounds instead of Euros: "TESCO Supermarkets will add £150 credit to your account just for taking part in our quick survey." but other than that, this is the same phish!

And, as with the other, the actual advertised URL from the spam campaign is hosted in China, and simply updates the content with a Frame SRC = .

Remnants in the logs make it seem likely that this phisher has also targeted Woolworths (many 404 messages in the very early part of the phish for paths with /wps/woolworths/ in the path. Very likely that this is a throw-back to the Woolworths phish from 2012. (Woolworths is a food chain in Australia - they got so many of these scams that they did television news announcements warning about it - see for example: Scam Alert (a Current Affair November 2012). Those spam messages looked like this:

Subject: Customer Satisfaction Survey! Win 150$


You have been selected by Woolworths Online Department to take part in our quick and easy reward survey. In return we will credit $150 to your account - Just for your time!

Helping us better understand how our members feel, benefits everyone.

With the information collected we can decide to direct a number of changes to improve and expand our services. The information you provide us is all non-sensitive and anonymous. No part of it is handed down to any third party groups. It will be stored in our secure database for maximum of 3 days while we process the results of this nationwide survey.

To access the form, please click on the link below :

Thursday, April 10, 2014

The indictment: United States v. Kilobit et. al.

Today the U.S. government unsealed its indictment against Fifty-Five members of the carding forum. We wrote about before on this blog, back in March 2009 when a rival gang was trying to call attention to by sending out spam advertising the site. (See: Carders do battle through spam - No wonder they were jealous! Today's indictment shows the guys performed over $50 Million in fraudulent charges!

Named in the indictment were 39 individuals, all charged with "General Allegations" called:

Count One (Participate in a Racketeer Influenced Corrupt Organization [RICO])
Count Two (Conspiracy to Engage in a Racketeer Influenced Corrupt Organization).

The whole group are described in the indictment like this:

"The defendants herein, and others known and unknown, are members of, employed by, and associates of a criminal organization, hereafter referred to as "the organization," whose members engage in acts of identity theft and financial fraud, including, but not limited to, acts involving trafficking in stolen means of identification; trafficking in, production and use of couterfeit identification documents; identity theft; trafficking in, production and use of unauthorized and counterfeit access devices; and bank fraud; and whose members interfere with interstate and foreign commerce through acts of identity theft and financial fraud. Members and associates of the organization operate principally in Las Vegas, Nevada, and elsewhere.

Here's the list:

NAMEAKA ListCounts Charged
Roman ZolotarevAdmin, Support1-2, 19
Konstantin LopatinGraf1-2, 33, 44, 47
Alexander Kostyukov *Temp, KLBS1-2, 3-17
Maceo Boozer IIIXXXSimone, G4, El Padrino, Mr. Right, MRDC871-2, 3-17
Tin-Yueng WongRay Wong, Ray1-2, 3-17
Edward Montecalvo *N1ghtmare, Tenure441-2, 3-17, 22-55
Yu Feng Wang Ibatistuta1-2
Mohamed Amr Mahmoud Amr Mahmoud, CC--Trader, Kengza1-2, 20, 22-55
Jermaine Smith SirCharlie57, FairBusinessman 1-2, 61-62
Makyl Haggerty Wave 1-2
Aladelola Teslim Ajayi Bank Manager, Document Manager, Corey 1-2, 61-62
Alexandru Ion AbagnaleFrank 1-2
Jordan Georgievski Devica 1-2
Roman Seleznev Track2, Bulba, NCUX 1-2, 22-55
Qasir Mukhtar Caliber 1-2, 56-60
Roy Ayad Rabie Ayad, Patistota 1-2, 22-55
Mina MorrisSource 1-2, 22-55
Rachid Idaali C4rd3r 1-2, 22-55
Liridon Musliu Bowl 1-2, 22-55
Sergei Litvinenko Dorbik, Matad0r 2
Michael Lofton Killit, Lofeazy 1-2, 3-17
Shiyang GouCDER 1-2, 3-17
David Ray CamezBadman, DoctorSex 1-2, 3-17
Cameron Harrison Kilobit1-2, 3-17
Aleksandar BesarovicQiller 1-2, 3-17
Duvaughn Butler Mackmann 1-2, 21, 61-62
Fredrick Thomas 1Stunna 1-2
John Doe 1 Senna0711-2, 3-17
John Doe 2 Morfiy 1-2, 3-17
John Doe 3 Gruber 1-2, 18
John Doe 4 Maxxtro 1-2
John Doe 5 Elit3 1-2
John Doe 6 Fozzy 1-2, 22-55
John Doe 7 Vitrum, Lermentov 1-2, 22-55
Andrei BolovanPanther, Euphoric, Darkmth 1-2, 22-55
John Doe 8 TM 1-2, 22-55
John Doe 9 Zo0mer, Deputat 1-2, 22-55
John Doe 10 Centurion 1-2, 22-55
John Doe 11 Consigliori 1-2, 61-62
While it is true that many carders are Russian, several folks on this list reside in the United States. This case, which DHS ICE calls "Operation: Open Market", has already seen 19 arrested in the United States, primarily in Las Vegas, where LOFTON, CAMEZ, BUTLER, LAMB, and VERGNETTI were arrested. (Some of those arrested are indicted separately and do not appear above.

KOSTYUKOV was arrested in Miami from his home at 1100 Washington Avenue, Miami Beach. (He sent a letter to the judge asking for his property back, including his Hookah pipe and his Dr. Dre Beats headphones.

KOSTYUKOV, 27, was arrested in Miami, Florida.
Boozer, 23, was arrested in Detroit, Michigan.
Montecalvo, 20, was arrested in Morgantown, WV.
Jermaine Smith, 31, was arrested in Newark, NJ
Makyl Haggerty, 22, lived in San Francisco,
Qasir Mukhtar, 27, in New York
Shiyang Gou, 27, in New York
Cameron Harrison, 25, in Augusta, GA
Fredrick Thomas, 31, in Orlando, FL
Omar Butt, 28, in New York
Bill Steffey, 33, in Sacramento,
Jason Maclaskey, 32, (at large?)
Derek Carder, 38, Sacramento
Robert Kephart, 38, Sacramento
Heather Dale, 21, Springfield, Orlando
Herbert Morrell, 50, Orlando
Roger Grodesky, 49, Warren, Ohio
John Holsheimer, 53, San Diego

David Ray Camez, a Nevada resident, for example, was convicted and was due to be sentenced today. (You may enjoy reading his Forfeiture document which includes ATM machines, PVC Card Embossers, dozens of phones and computers as well as printers, cameras, and video games. Camez was already serving a seven year sentence in the State of Arizona for fraud charges he was convicted of there.

Back in 2012, ICE agents announced that they had arrested 19 in the US in an operation called "Operation: Open Market."

The full Fifty-one page indictment, originally introduced in court on January 10, 2012, and finally unsealed April 10, 2014, goes on to describe additional charges and activities, sometimes in great detail. The case against "Defendant 24, Cameron Harrison, AKA Kilobit" is being tried in Las Vegas, Nevada as CASE #: 2:12-cr-00004-APG-GWF-24.

The event that triggered the unsealing of the indictment was that Cameron Harrison pleaded guilty, WITHOUT BENEFIT OF A PLEA AGREEMENT! His nineteen page guilty plea. In addition to Count One and Count Two above, Cameron plead guilty to:

Count Sixteen: Trafficking in and Production of False Identification Documents and Aiding and Abetting, in violation of 18 U.S.C. § 1028(a)(1), (b)(1)(A)(ii), and (c)(3) and 18 U.S.C. § 2.

The Sentencing Guidelines that the prosecution is asking for are HUGE because they are describing the "Total amount of actual loss involved in the offense as $50,893,166.35" which gives a +24 to the Sentencing guidelines just for the financial losses!

Base Offense Level = 7
+ 24 (offense involved more than $50 Million of actual loss)
+6 (offense involved more than 250 victims)
+2 (offense involved receiving stolen property and the defendant was a person in the business of receiving and selling stolen property)
+2 (fraud committed from outside the US, involving a sophisticated means)
+2 (fraud involving possession of device-making equipment and trafficking in unauthorized and counterfeit access devices)
-3 (Acceptance of Responsibility)

Total Offense Level = 40

Restitutions that are declared in the Plea include:

American Express = $3,299,210.90

Discover Financial Services = $2,202,429.00

Master Card = $15,496,221.00

Visa Inc. = $29,895,305.45

Total = $50,895,305.45

Because this is a RICO case, EACH member of the Conspiracy can be found responsible for the full restitution. The Indictment requests that each have $20 million of their assets seized to help cover the costs. (Most have nowhere near that amount, of course...).

Roles of the Defendants

Despite the news headlines being about Kilobit (Cameron Harrison) today, Harrison was only a "Member" of the board. Far more important members are listed below by their roles on the various websites.

Administrator = "Roman ZOLOTAREV was the head of

As the head of the governing council, the administrator handles day to day management decisions of the organizatoin, as well as long-term strategic planning for its continued viability. Zolotarev was the leader of the enterprise, appointing moderators, and directing other members and associates of the enterprise in carrying out unlawful and other activities in futherance of the conduct of the enterprise's affiars. In addition, ZOLOTAREV:

  • determines which individuals can become and remain members of the organization.
  • regulates the functions, responsibilities, and levels of access to information accorded to each member.
  • bestows the rewards accorded members for their loyalty to the organization, and sets the punishments to be meted out to members evidencing disloyalty to the organization.
  • decides when, how, and under what circumstances to attack and to retaliate against members of rival criminal organizations and their associated Internet website forums.
  • has full access to, and privileges on, the computer servers hosting the organization's websites.
  • has ultimate responsibility for the administration, maintenance, anonymity and security of ther organization's computer servers
Moderators = Konstantin LOPATIN and MAXXTRO

These defendants act as leaders of the enterprise, directing other members and associates in carrying out unlawful and other activities in furtherance of the conduct of the enterprise's affairs. Moderators are members of the organization's governing counsel. They oversee and manage one or more subject matter specific areas on the organization's websites. Their jobs included assisting Zolotarev by:

  • monitoring and policing websites by editing and deleting members' posts and mediating disputes among members.
  • serve as Reviewers for products or services through the enterprise with which they have expertise.
  • Both LOPATIN and MAXXTRO possessed at least 15 counterfeit or unauthorized access devices.

Members are allowed to sell contraband, including counterfeit documents, stolen bank accounts, and credit card information. Reviewers examine and test products and services that members wish to advertise and sell on the websites. A favorable review is a prerequisite to to selling contraband. Any member can be appointed to do a review, although they are usually done by Moderators or the Administrator.


Vendors advertise and sell products, services, and other contraband after receiving a favorable review.

Vendors among the defendants included:

Alexander KOSTYUKOV (Temp/Klbs) - a vendor of Cashout services. Cashout vendors remove funds from bank and credit card accounts and receive a fee between 45% and 62% of the funds received.

Maceo BOOZER (XXXSimone / G4 / El Padrino / Mr. Right / mrdc87) is a vendor of dumps. "Dumps" are stolen credit and debit card account data. They sold for between $15 and $150 per card, depending on the quantity purchased and the geographic location. United States cards are least expensive, and European cards are most expensive.

Ray WONG is a vendor of counterfeit plastic. A device-making implement used to produce counterfeit credit cards. WONG sold blank counterfeit plastic cards for $20 to $25 each, with a minimum order of 50 cards. Embossed counterfeit cards were $65 to $75 each with a minimum order of ten. Wong was also a vendor of dumps.

MONTECALVO (N1ghtmare / Tenure44) is a vendor or dumps, but also offered a dump checking service. He had the ability to validate a card against a real financial institution.

Yu Feng WANG (Ibatistuta) is a vendor of counterfeit cards, counterfeit holograms, and signature panels used to manufacture counterfeit credit cards. He sold blanks for $10-$15 each.

Mohamed Amr Mahmoud (AMR Mahmoud / CC--Trader / Kengza) is a vendor of CVV. While dumps are magnetic card stripe reads, CVVs are all of the account holder information - such as Name, DOB, SSN, address, telephone number, mother's maiden name, and the CVV2 code from the back of the card. MAHMOUD also sold Paypal accounts, Fullz (all of the above plus expiration date and PIN), and Enroll/COBs. The latter included all of the previous data, as well as username and password for the account's online access. Depending on the online balance, he would charge $140 to $200 per account.

Jermaine SMITH (Sircharlie57 / Fairbusinessman) is a vendor of plastic and counterfeit cards.

Makyl HAGGERTY (Wave) is a vendor of counterfeit identification documents and counterfeit cards. He sold counterfeit drivers license for between $100 and $200 each, depending on state, including CA, TX, WI, OH, RI, NV, PA, IL, FL, LA, AZ, HA, SC, GA, NJ, as well as BC Canada. He also sold blank counterfeit plastics and embossed cards.

Aladelola Teslim AJAYI is a vendor of counterfeit identification documents, stolen corporate account information, dumps, and counterfeit credit cards.

ALEXANDRUION (Abagnalefrank) is a vendor of dumps. He sells 100 mixed Visa and Master Card accounts for $1,500 or 100 AmEx cards for $1,000.

Jordan GEORGIEVSKI is a vendor of counterfeit credit cards and blank plastic, as well as embossed cards for $75 each.

Roman SELEZNEV (Track2 / Bulba / Neux ) is a vendor of dumps. He sold very large volume product through an automated website where members could load their desired cards into a shopping cart. Accounts sold for $20 each.

Qasir MUKHTAR (Caliber) is a vendor of counterfeit plastics, holograms, and signature panels.

Roy AYAD (Rabie Ayad / Patistota) is a vendor of CVVs, selling through an automated website.

Mina MORRIS (Source) is a vendor of dumps. Morris had an automated website to sell dumps.

Rachid IDAALI (C4rd3r) is a vendor of Fullz.

Liridon MUSLIU (Bowl) is a vendor of CVVs.

Sergei Litvinenko (Dorbik / Matad0r ) is a vendor of Bullet Proof Hosting services and infrastructure for criminal websites. These are ISPs that allow criminals to run illegal websites used for phishing, carding forums, or dump sites.

GRUBER is a vendor of counterfeit identification documents including drivers licenses ranging from $150 to $200 each.

ELIT3 is a vendor of Fullz. He also sells Enroll/COBs.

FOZZY is a vendor of dumps ranging from $12 to $100 each, depending on quantity and location.

VITRUM (Lermentov) is a vendor of dumps.

Andrei BOLOVAN (Panther / Euphoric / Darkmth) is a vendor of dumps.

TM is a vendor of dumps and CVVs, which he sells to members through an automated website.

Zo0mer (Deputat) is a vendor of stolen PayPal accounts, Proxies, Fullz, Credit Card Checking and Information Lookups.

CENTURION is a vendor of dumps.

CONSIGLIORI is a vendor of dumps and blank plastic.


Members must successfully complete a number of security features intended to keep out law enforcement and rival criminal organizations. Teams use a number of websites as "virtual clubhouses" to gather with other members in order to share information, solicit and recruit other members and to achieve the common objectives of the enterprise.

Members charged in this conspiracy include:

Michael LOFTON (Killit / Lofeazy

Shiyang GOU (Cder)

David Ray CAMEZ (Bad Man / DoctorSex )

Cameron HARRISON (Kilobit)

Alexsandar BESAROVIC (Qiller)

Duvaughn BUTLER (Mackmann)

Fredrick THOMAS (1STunna )



The Charges

Count One and Two given above deal with Racketeering:


Acts 1 through 15 - Unlawful Trafficking In and Production of False Identification Documents

Acts 16, 17, 19 - Attempt to Unlawfully Produce False Identification Documents

Acts 18, 20, 21 - Conspiracy to Unlawfully Produce False Identification Documents

Act 22 - Conspiracy to Unlawfully Transfer False Identification Documents

Act 23 - Possession of Document-Making Implements

Act 24 - Conspiracy to Unlawfully Transfer, Possess, and Use a Means of Identification




Act 37 - Using and Trafficking in Unauthorized Access Devices

Acts 38 through 97 - Possession of 15 or more Unauthorized Access Devices

Acts 98 through 103 - Trafficking In and Possessing Access Device-Making Equipment

Acts 104 through 109 - Conspiracy to Trafficking In and Possess Access Device-Making Equipment


Dealing with General Allegations from November 22, 2005 through June 2011. Counts Three Through Seventeen - Trafficking in and Production of False Identification Documents

Count Eighteen - Attempting to Unlawfully Produce False Identification Documents, Aiding and Abetting

Count Nineteen - Conspiracy to Unlawfully Transfer False Identification Documents

Count Twenty - Unlawful Transfer, Possession and Use of a Means of Identification, Aiding and Abetting

Count Twenty-One - Trafficking in and Use of Counterfeit and Unauthorized Access Devices, Aiding and Abetting

Counts Twenty-Two through Fifty-Five - Possession of Fifteen or More Counterfeit and Unauthorized Access Devices, Aiding and Abetting

Counts Fifty-Six through Sixty - Trafficking In and Possessing Access Device-Making Equipment; Aiding and Abetting

Counts Sixty-One and Sixty-Two - Conspiracy to Traffick In and Possess Access Device-Making Equipment